The purpose of isolating network services is to (possibly) limit the damage of an attack upon them.

Web servers that run "server side" programs, such as CGI or PHP, may have errors in those programs which allow an attacker to submit and execute their own code -- an injection. That injected code can do anything the web server could do.

This is a reason one might choose a "jail" -- a successful attacker would be limited to accessing only those files and services available to the jail. However, this is not necessarily good enough.

For example, the web server may be permitted to contact a database server and issue any SQL operation. A successful attacker, even in a "jail" could still reach out and read or modify the databases available to it.

I can't answer jail or FreeBSD questions. But now you know why a jail may be recommended for nginx in FreeBSD. I hope your headache subsides.

Because if attacker can still easily go to the database then everything is doomed.

Jail can protect only the main server but the web service is in deep problems.
Attacker can replace the files in /var/www/html and then what?

--------------------
The protection is only between the main server and the web application, not between the
attacker and the web application, therefore the web application is not protected.
--------------------

Because if attacker can still easily go to the database then everything is doomed.

With this architecture...

Code:

[web server] - [database]

a jail, a chroot, a DMZ, or some other separation technology may limit data access, data change, or data loss. "Doom" will depend on the nature and extent of the attack.

With this architecture...

Code:

[web server] - [application server] - [database]

the web server is used for presentation, and database access is controlled by the business rules of the application server. An attacker that compromises a web server would not have free reign to attack the database server without first compromising the application server.

Quote:

Jail can protect only the main server but the web service is in deep problems.

Attacker can replace the files in /var/www/html and then what?

Perhaps I wasn't clear. A compromised platform is one that under partial or complete control of the attacker. ALL of these various technologies merely limit the extent of possible control. In the case of a web server, it is not only the files accessible to the web server, but its abilities to be used as an attack vector towards other systems -- I used a back end database server as a common example.

Quote:

What do you think, my conclusion is true?

Yes. But for clarity, ANY network facing application is at risk from attack. And that includes... not just Internet facing, but private networks as well. A compromised platform on a private network could be a vector of attack.

Quote:

Other means like DMZ maybe.

No; perhaps you misunderstand what these are. They limit broad access but by design they permit certain types of access. For example, a DMZ that permits a web server to only access a database server will not prevent an attack on that database server if the web server is compromised.

Security cannot be installed.

Security is not software, nor is it hardware. Security is a process. And that is because you cannot eliminate risk. But by understanding risks, you can seek to mitigate them. In this case, risk mitigations do come from infrastructure design, and there are also mitigations from software implementation and softare tools, and also from operational best practices.

A web application firewall (WAF) is an appliance, server plugin, or filter that applies a set of rules to an HTTP conversation. Generally, these rules cover common attacks such as Cross-site Scripting (XSS) and SQL Injection. By customizing the rules to your application, many attacks can be identified and blocked. The effort to perform this customization can be significant and needs to be maintained as the application is modified.

---------------------

Maybe better to concentrate on the upper levels other then the lower levels protection.